Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-6mnj-bxhw-gbfy
SummaryOpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `JwtFilter` handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request's path is checked against this list. When the request's path contains any of the excluded endpoints the filter returns without validating the JWT. Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings. For example, a request to `GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111` will match the excluded endpoint condition and therefore will be processed with no JWT validation allowing an attacker to bypass the authentication mechanism and reach any arbitrary endpoint, including the ones listed above that lead to arbitrary SpEL expression injection. This bypass will not work when the endpoint uses the `SecurityContext.getUserPrincipal()` since it will return `null` and will throw an NPE. This issue may lead to authentication bypass and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-237`.
Aliases
0
alias CVE-2024-28255
Fixed_packages
Affected_packages
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-28255
reference_id
reference_type
scores
0
value 0.93917
scoring_system epss
scoring_elements 0.99886
published_at 2026-06-12T12:55:00Z
1
value 0.93917
scoring_system epss
scoring_elements 0.99887
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-28255
1
reference_url https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-6wx7-qw5p-wh84
reference_id GHSA-6wx7-qw5p-wh84
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-07-16T00:26:07Z/
url https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-6wx7-qw5p-wh84
2
reference_url https://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L111
reference_id JwtFilter.java#L111
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-07-16T00:26:07Z/
url https://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L111
3
reference_url https://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L113
reference_id JwtFilter.java#L113
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-07-16T00:26:07Z/
url https://github.com/open-metadata/OpenMetadata/blob/e2043a3f31312ebb42391d6c93a67584d798de52/openmetadata-service/src/main/java/org/openmetadata/service/security/JwtFilter.java#L113
Weaknesses
0
cwe_id 287
name Improper Authentication
description When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Exploits
0
date_added null
description 
OpenMetadata is a unified platform for discovery, observability, and governance powered
          by a central metadata repository, in-depth lineage, and seamless team collaboration.
          This module chains two vulnerabilities that exist in the OpenMetadata aplication.
          The first vulnerability, CVE-2024-28255, bypasses the API authentication using JWT tokens.
          It misuses the `JwtFilter` that checks the path of the url endpoint against a list of excluded
          endpoints that does not require authentication. Unfortunately, an attacker may use Path Parameters
          to make any path contain any arbitrary strings that will match the excluded endpoint condition
          and therefore will be processed with no JWT validation allowing an attacker to bypass the
          authentication mechanism and reach any arbitrary endpoint.
          By chaining this vulnerability with CVE-2024-28254, that allows for arbitrary SpEL injection
          at endpoint `/api/v1/events/subscriptions/validation/condition/<expression>`, attackers
          are able to run arbitrary commands using Java classes such as `java.lang.Runtime` without any
          authentication.
          OpenMetadata versions `1.2.3` and below are vulnerable.
required_action null
due_date null
notes 
Stability:
  - crash-safe
Reliability:
  - repeatable-session
SideEffects:
  - ioc-in-logs
  - artifacts-on-disk
known_ransomware_campaign_use false
source_date_published 2024-03-15
exploit_type null
platform Linux,Unix
source_date_updated null
data_source Metasploit
source_url https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/http/openmetadata_auth_bypass_rce.rb
Severity_range_score9.8 - 9.8
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-6mnj-bxhw-gbfy